The fact that the L-shaped tweaking pattern causes really weird effects has been known for a while now and was previously known as the "????? Glitch", but after analyzing the effects of the tweak, I decided to give it a more descriptive name that mirrors its effects—the "Cascade Glitch".

TRIGGERING THE CASCADE GLITCH

In order to trigger the glitch, all you need to do is tweak using any L-shaped pattern in the fastest gear of your bike.

No really, that's it.

THE EFFECTS

The reason it's called the Cascade Glitch is because of the one constant that always occurs each time this glitch is triggered—starting from the map data ID (0 - 665) that you refreshed the screen in, the map tile data, 3D model data, building data, et al. for each successive map data ID is written to RAM immediately after the tweak. The chaotic nature of such an effect means that freezes will occur a lot of the time.

However, because the data written to RAM depends on the map data ID that you refreshed the screen in, you're able to influence the data that gets written and, to a loose extent, where that data gets written. This means that altering progression flags is completely possible using this method.

EXAMPLE

So what exactly happened here?

As a little background information, the tile data for each map should be at least somewhat legible, such as the map tile data for lower Jubilife City below.

1111111111111111111111111111111111111111111111111100006900000000111111111111111111111111111111111111111111111111110000000000000011111111111111111111111111111111111111111111111111000000000000001111111111111111111111111111111111111111111111111100000000000000111111111111000000000011111111111111111111111111110000000000000011000000000000000000001111111111111100000000000011000000000000001100000000000000000000111111111111110000000000001100000000000000110000000000000000000000111111111100000000000000110000000000000000001111111100006E000011111111111111000069000000000000000000000011111111111111111111111111111111111111111111111111000000000000001111111111111111111111111111111111111111111111111100000000000000111111111111111111111111111111111111111111111111110000000000000011111111111111111111111111111111111111111111111111000000000000001111111111111111111111111111111111111111111111111100000000000000000000001111111111111111111111111111111111111111110000000000000000000000110000000000111111111111111111111111111111000000000000000000000011000000000011111111111111111111111111111100000000000000000000000000000000001111111111111111111111111111110000000000000000000000000000000000111111111111111111111111111111000000000000000000000000000000000011111111111111111111110000000000000000000000000000000000006900001111111111111111111111000000000000000000000000000000111111111111110011111111110011111100000000000000001100000000000011111111111111111111111111111111110000000000000000110000000000001111111111111111111111111111111111000000000000000011000000000000111111111111111111111111111111111100000000000000001100000000000011111111111111111111111111111111110000000000000000110000000000000000000000000011111111111111000000000000000000000000000000000000000000000000001111111111111100000000000000000000000000000000000000000000110000111111111111110000000000000000000000000000000000000000000011000000001111110000000000000000000000000000000000000000000000001111111111111111111100000000000000000000000000000000000000000000111111111111111111110000000000000000000000000000Okay, so that's not the actual map tile data for lower Jubilife City, but it gets the point across that it should at least be somewhat legible and able to be discerned just from looking at the layout.

First, to pull off this tweak, you'll want to refresh your screen anywhere in the area below. You can do this by opening the Bag or performing any action that forces the graphics to be redrawn.

Next, perform the tweak as shown in the previous GIF. If you need help locating the loadlines in order to do this, you can find them here.

After performing the tweak, the map tile data for Route 202 will be replaced with the data below.

a0006c004094fd22220040009400e099d0222200e000990000e7ab2222000000e700a0006c7e00222200a0006c004094fd22220040009400e099d0222200e000990000e7ab2222000000e700a0006c7e00222200a0006c004094fd22220040009400e099d0222200e000990000e7ab2222000000e700a06c7e222200a0006c004094fd22220040009400e099d0222200e000990000e7ab2222000000e700a0006c7e00222200a0006c004094fd22220040009400e099d0222200e000990000e7ab2241000000e700004021030000007c07348022220000000000407707242630800040000000802122ad062e800080800041220300c00000972425004040000040c040212200470000404000802224c080006500e04080254000000300c000212200474000400000402224c04000970800404025210080c080003608202241408000000300222400000097084000002521004000400047080022220040008000800065242508e00080000000004021030000000097400022220000004000400047242528004040008000802122006528e0808080004122030000007c072426344000000000c0402122770730000040000022248080ad062ee00080264080000300000021227c0734800000000022240040770730804040262100000080ad062e80224180808080030022240000004734c0000025210040c040009730002222004000808080003624252e200080000000004021030000000047400022220000004000400097242528000040008000802122003628200080000041220100008014022625800000000040000026250000008080004080212200420080400040002222c0000040c08000802226408000c20080400027254000c0000040c0802721008000800042008022220000400000000040222200800080808080002222b0002cc00000004022220080008000801402262580000000004060002624000080802ee080802222b0002c4000000000222200808000008000c2262700800000400060002524004080802e200080252700000000400000002527004000800080000040210100280000f04040222228f8004038f8000022223800c0002800000024254000380000403808252500402808000018c02122ad06c00000c000402222008000001880c000222500000000000018002526004018800000008025210000280000f040002222380000003808000022222808004018c0000724264b011810c00000102526000000c00000280021220000004028f8c000222238f80000380000402226280000f0000028f82525004038f8000038002521c0002800000040c02222380000403808004022222808000018c0ad062525c00000c000400080262500001880c000000021220000000018000040222218800000008000002227280000f040Definitely not what it should be.

If you were to load the graphics for this area, it would look a little something like this:

The section containing pointers to the currently-loaded map data (as well as the data that will be imminently loaded) can be found at Base + 0x8BAD0. This section has enough space for 3 areas, which is all that should ever need to be reserved within normal gameplay, since it's not possible to load 4 different areas in such quick succession. I'm guessing that's what the devs though, anyway.

I've created a visual representation of the pointer storage location as well as the pointers to the current map data for additional detail, found below.

The 4 pointers are arranged in the following order:

Top-Left

Top-Right

Bottom-Left

Bottom-Right

In this case, the 3rd pointer is the address of the garbled data. This means that the area we're currently in (Route 202) should be located in the bottom-left of the 4 currently loaded areas, which it is.

MISCELLANEOUS

Doing this in Valor Lakefront yields some pretty amazing results. Instead of simply writing the data for each successive map data ID, it completely annihilates your base pointers. The base pointers located at 0x02101D20 just get overwritten with zeroes.

The result?

Since there aren't any base pointers, the game just kind of gives up and crashes. It also messed up my ASLR calculations in the VET script and caused all of my values to return 0.

If that kind of thing is possible just by tweaking, then I think that this may very well be our best chance at ACE in Gen IV.

POSTSCRIPT

I should be receiving an IS-NITRO-DEBUGGER development kit through the mail within the next few days, and I highly plan to analyze this glitch further on actual hardware. It's hard to tell whether some of these results are due to emulation errors or whether these would actually happen on a console.

That's really interesting. I saw Crystalmourne's video about the cascade glitch but didn't know exactly what it was. Hope you or another person find arbitrary code execution with it!

« Last Edit: February 16, 2017, 05:43:09 pm by Torchickens »

Logged

Hi!

I'm Evie.

I'm a transgender person, but any pronouns are fine. She/her preferred.

Unfortunately due to legal concerns I won't be using emulators and unauthorised copies of ROMs anymore, just real hardware with official cartridges and a cheating device (Xploder) to aid research, sorry.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪

Thanks Aeriixion for the cute sprite above! Roelof also made different variations of the sprite (which I animated).

Contact:If you like, please contact me by private message here on the forums as I no longer check other places very often.

To love yourself is to believe in yourself, respect yourself, but to make allowances for weakness. If you do the same with others in need (believing in them), in keeping an open mind and being modest, then it will not only help each other but can make life more meaningful. The heart though, has no script, and true wisdom may not exist; often ignorance can give us bliss and the darker times enlighten us later on.

Yes, we've been thinking on how this glitch could lead to ACE for a while, but it's hard to progress blind... If I remember well, during PRAMA's tweaking research group works, we also noticed that sometimes it introduces the OT in Pokémon names and weird stuff like that. I hope it will eventually lead somewhere.

« Last Edit: February 17, 2017, 03:49:05 am by Krys3000 »

Logged

Admin of the PRAMA Initiative, the main french Pokémon glitch websitehttp://www.prama-initiative.com“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Yes, we've been thinking on how this glitch could lead to ACE for a while, but it's hard to progress blind... If I remember well, during PRAMA's tweaking research group works, we also noticed that sometimes it introduces the OT in Pokémon names and weird stuff like that. I hope it will eventually lead somewhere.

If I remember well the trick was messing up with the name and it wasn't ending properly (no FF at the end) so we could see the OT in it. (Because it is located just after the name in the RAM)

So yes, it's not only about maps.

As far as I know it can impact on: - Name of Pokémons (Wild encounter or Pokémon hatch from eggs. I don't remember if it is the case for battle against trainers)- Texts (The most common effect is text becoming blank or one letter repeating itself)Here's some example:

- Color palette of the Trainer Card (it is quite common too).- And as you said, it can slow the game down, which is really interesting. - It can also, obviously, crash. Which is in fact also interesting.

The glitch was also affecting some sprites but I can't tell if it was just emulation related.

But anyway, as you can see it's messing up with a lot of different stuff so if we're able to really understand how it works we could try to use it in a useful way. (Like messing up with scripts?)So yeah, that's indeed a great gateway to ACE!

I did a lot of research into the corruption of graphics with this glitch, especially in the menus, it's currently useless however as the game freezes upon opening any menu.

What do you mean?For me the games isn't freezing every time at all.

Maybe it depends on the location you did the Cascade Glitch, the effect really seems to depends on the location, like, you get pretty much the same effects if you do it twice at the same place.Also, the "OPTIONS" menu NEVER crash. So if you want to reload graphics use this one. Even after that, the effects in the menu and on wild Pokémon will stay.

Actually battles seems to crash a lot, I don't know if it's only related to text as I never seen others effects on battle. The only effect that I manage to keep after a saving and resetting was the name of a Pokémon hatched from an egg. Not very useful.

I had also noticed that after doing the CG, some genuine tweak pattern now crash, including the CG one. Seems strange.Maybe we should try to do the CG more than once.

Just to mention that BUGLITCH is also a member of PRAMA, which means he reports stuff on french games. If this can explain differences

Logged

Admin of the PRAMA Initiative, the main french Pokémon glitch websitehttp://www.prama-initiative.com“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Admin of the PRAMA Initiative, the main french Pokémon glitch websitehttp://www.prama-initiative.com“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Doing this on console also, I can't seem to get it to work either. 99% of any tweaking patterns I've tried on the fast bike just freeze the game instantly. Even the example shown on the first post doesn't seem to work, freezing like all the others... The one that slows down Jubilife City does work, strangely enough, but opening any menu froze the game.Does the outcome of the tweaking depend on other factors (like items in the bag, party Pokémon, etc.), or does it just not work on console?

Does the outcome of the tweaking depend on other factors (like items in the bag, party Pokémon, etc.), or does it just not work on console?

It depends on how the hardware deals with certain conditions, especially when the error handler isn't called and the operating environment gets highly corrupted. The corruption itself is mostly based on the current state of the loaded map tile data, but other factors could definitely affect the glitch.

When RTS is enabled for Platinum on my R4, when the game normally crashes, the RTS wrapper is called and I can save/load my states or return to the R4 firmware just fine....could we use this to load homebrew?

Logged

Ask me about betrayal.Ask me about depression.Ask me about death.Ask me about destruction.Ask me about hardship.I've been through s**t.If you need to talk to someone, my PM inbox is always open.

ALERT: THE CRA TO TAKE BACK NET NEUTRALITY IS CURRENTLY IN CONGRESS!!! CLICK THE BANNER BELOW TO JOIN THE FIGHT!